Windows Analysis Report Weemaes B.V.-PO74748392.exe

Overview

General Information

Sample Name:	Weemaes B.V.-PO74748392.exe
Analysis ID:	458358
MD5:	a08f23a15ef10b17370668cf5b9947ad
SHA1:	7cc53628714dd9d69881be1d186adf7b3e7af9cd
SHA256:	cc8e7690934b9059a1613d246a6c933df5dd7b1e333038dc76f7839dcc5697cd
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Potentially malicious time measurement code found

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: Weemaes B.V.-PO74748392.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://rossettlee.ddnsgeek.com/x/5bab0b1d864615bab0b1d864b3/2"}

Multi AV Scanner detection for submitted file

Source: Weemaes B.V.-PO74748392.exe

Virustotal: Detection: 35%

Perma Link

Compliance:

Uses 32bit PE files

Source: Weemaes B.V.-PO74748392.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://rossettlee.ddnsgeek.com/x/5bab0b1d864615bab0b1d864b3/2

Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://s.symcd.com06
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7989 NtAllocateVirtualMemory,	1_2_021C7989
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7A86 NtAllocateVirtualMemory,	1_2_021C7A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7AB9 NtAllocateVirtualMemory,	1_2_021C7AB9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B15 NtAllocateVirtualMemory,	1_2_021C7B15
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B5A NtAllocateVirtualMemory,	1_2_021C7B5A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B9F NtAllocateVirtualMemory,	1_2_021C7B9F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C77FF NtAllocateVirtualMemory,	1_2_021C77FF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C796D NtAllocateVirtualMemory,	1_2_021C796D

Detected potential crypto function

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7989	1_2_021C7989
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CD609	1_2_021CD609
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A0A	1_2_021C6A0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB604	1_2_021CB604
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1202	1_2_021C1202
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E3A	1_2_021C5E3A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6233	1_2_021C6233
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C822D	1_2_021C822D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E51	1_2_021C5E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3652	1_2_021C3652
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6644	1_2_021C6644
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C567C	1_2_021C567C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A7D	1_2_021C5A7D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6672	1_2_021C6672
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1A62	1_2_021C1A62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1292	1_2_021C1292
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A8E	1_2_021C6A8E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A86	1_2_021C5A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6286	1_2_021C6286
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2682	1_2_021C2682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1682	1_2_021C1682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1ABE	1_2_021C1ABE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5EBE	1_2_021C5EBE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CAEB3	1_2_021CAEB3
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0AA6	1_2_021C0AA6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C12D5	1_2_021C12D5
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1ED2	1_2_021C1ED2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5AFA	1_2_021C5AFA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C16F6	1_2_021C16F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C66F6	1_2_021C66F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6AEA	1_2_021C6AEA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C82EA	1_2_021C82EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C370D	1_2_021C370D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0B0E	1_2_021C0B0E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C570E	1_2_021C570E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C130A	1_2_021C130A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C630B	1_2_021C630B
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2302	1_2_021C2302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0302	1_2_021C0302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C033F	1_2_021C033F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F2E	1_2_021C5F2E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8724	1_2_021C8724
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C635A	1_2_021C635A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1355	1_2_021C1355
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5B56	1_2_021C5B56
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8352	1_2_021C8352
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C174E	1_2_021C174E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1B7E	1_2_021C1B7E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C377E	1_2_021C377E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C577E	1_2_021C577E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1376	1_2_021C1376
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C636E	1_2_021C636E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C036F	1_2_021C036F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0B6A	1_2_021C0B6A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0363	1_2_021C0363
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F9A	1_2_021C5F9A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0396	1_2_021C0396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1F96	1_2_021C1F96
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C17BA	1_2_021C17BA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C53A1	1_2_021C53A1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C63DE	1_2_021C63DE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C37D7	1_2_021C37D7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4BC8	1_2_021C4BC8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C77FF	1_2_021C77FF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1FF0	1_2_021C1FF0
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5BE6	1_2_021C5BE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C13E2	1_2_021C13E2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA018	1_2_021CA018
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C800E	1_2_021C800E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0000	1_2_021C0000
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6002	1_2_021C6002
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C043E	1_2_021C043E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C383A	1_2_021C383A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA435	1_2_021CA435
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4C32	1_2_021C4C32
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1828	1_2_021C1828
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0827	1_2_021C0827
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6822	1_2_021C6822
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6056	1_2_021C6056
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C644E	1_2_021C644E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C804F	1_2_021C804F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C204A	1_2_021C204A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C147A	1_2_021C147A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C807A	1_2_021C807A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA86A	1_2_021CA86A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CAC60	1_2_021CAC60
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0492	1_2_021C0492
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6892	1_2_021C6892
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5C83	1_2_021C5C83
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C80AE	1_2_021C80AE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CAA	1_2_021C2CAA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C64A6	1_2_021C64A6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5CDB	1_2_021C5CDB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C18D6	1_2_021C18D6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C34CE	1_2_021C34CE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3CC1	1_2_021C3CC1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C14FE	1_2_021C14FE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CE9	1_2_021C2CE9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4CE4	1_2_021C4CE4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C60E7	1_2_021C60E7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7CE1	1_2_021C7CE1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C811E	1_2_021C811E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2D0F	1_2_021C2D0F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D0A	1_2_021C3D0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C293A	1_2_021C293A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2928	1_2_021C2928
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1D5C	1_2_021C1D5C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1552	1_2_021C1552
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4D48	1_2_021C4D48
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6548	1_2_021C6548
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5145	1_2_021C5145
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CCD46	1_2_021CCD46
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8146	1_2_021C8146
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C597F	1_2_021C597F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA175	1_2_021CA175
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D6C	1_2_021C3D6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C796D	1_2_021C796D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3167	1_2_021C3167
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0D67	1_2_021C0D67
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5D62	1_2_021C5D62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C699E	1_2_021C699E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C119A	1_2_021C119A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8192	1_2_021C8192
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C298A	1_2_021C298A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C9D85	1_2_021C9D85
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C15BA	1_2_021C15BA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65AF	1_2_021C65AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C09AA	1_2_021C09AA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C19A7	1_2_021C19A7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2DDC	1_2_021C2DDC
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65C6	1_2_021C65C6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C29F8	1_2_021C29F8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C19FB	1_2_021C19FB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5DE6	1_2_021C5DE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2	1_2_021C3DE2

PE / OLE file has an invalid certificate

Source: Weemaes B.V.-PO74748392.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: Weemaes B.V.-PO74748392.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Weemaes B.V.-PO74748392.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.756304020.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePROKURAERS.exe vs Weemaes B.V.-PO74748392.exe
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.758261692.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Weemaes B.V.-PO74748392.exe
Source: Weemaes B.V.-PO74748392.exe	Binary or memory string: OriginalFilenamePROKURAERS.exe vs Weemaes B.V.-PO74748392.exe

Uses 32bit PE files

Source: Weemaes B.V.-PO74748392.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF5CD84833B4F133BE.TMP

Jump to behavior

Source: Weemaes B.V.-PO74748392.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Weemaes B.V.-PO74748392.exe

Virustotal: Detection: 35%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.758678567.00000000021C0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_004079B4 push edi; retf	1_2_004079C2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4442 push edx; ret	1_2_021C4443
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4469 push edx; ret	1_2_021C446A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C24A2 push F7664D43h; ret	1_2_021C24A7

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CD609	1_2_021CD609
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A0A	1_2_021C6A0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C423A	1_2_021C423A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E3A	1_2_021C5E3A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6233	1_2_021C6233
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E51	1_2_021C5E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6644	1_2_021C6644
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C567C	1_2_021C567C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A7D	1_2_021C5A7D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6672	1_2_021C6672
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A8E	1_2_021C6A8E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A86	1_2_021C5A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6286	1_2_021C6286
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2682	1_2_021C2682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5EBE	1_2_021C5EBE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C42A2	1_2_021C42A2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5AFA	1_2_021C5AFA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C66F6	1_2_021C66F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6AEA	1_2_021C6AEA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C231C	1_2_021C231C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C430E	1_2_021C430E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C630B	1_2_021C630B
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2302	1_2_021C2302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C473D	1_2_021C473D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F2E	1_2_021C5F2E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8724	1_2_021C8724
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C635A	1_2_021C635A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5B56	1_2_021C5B56
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C476E	1_2_021C476E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C636E	1_2_021C636E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F9A	1_2_021C5F9A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4396	1_2_021C4396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C47BE	1_2_021C47BE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C47AD	1_2_021C47AD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C53A1	1_2_021C53A1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C63DE	1_2_021C63DE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5BE6	1_2_021C5BE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA018	1_2_021CA018
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4816	1_2_021C4816
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C800E	1_2_021C800E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6C0E	1_2_021C6C0E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6002	1_2_021C6002
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA435	1_2_021CA435
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6822	1_2_021C6822
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6C5E	1_2_021C6C5E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6056	1_2_021C6056
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C644E	1_2_021C644E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C804F	1_2_021C804F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C487E	1_2_021C487E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C807A	1_2_021C807A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6892	1_2_021C6892
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4480	1_2_021C4480
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7081	1_2_021C7081
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5C83	1_2_021C5C83
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C80AE	1_2_021C80AE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C64A6	1_2_021C64A6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44DD	1_2_021C44DD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C48DA	1_2_021C48DA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5CDB	1_2_021C5CDB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6CD6	1_2_021C6CD6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3CC1	1_2_021C3CC1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44FA	1_2_021C44FA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CE9	1_2_021C2CE9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C60E7	1_2_021C60E7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7CE1	1_2_021C7CE1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D0A	1_2_021C3D0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6548	1_2_021C6548
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C597F	1_2_021C597F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA175	1_2_021CA175
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D6C	1_2_021C3D6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0D67	1_2_021C0D67
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5D62	1_2_021C5D62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C699E	1_2_021C699E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65AF	1_2_021C65AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C25D8	1_2_021C25D8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65C6	1_2_021C65C6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C41EA	1_2_021C41EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5DE6	1_2_021C5DE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2	1_2_021C3DE2

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	RDTSC instruction interceptor: First address: 00000000021C0135 second address: 00000000021C0160 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F3FF0A97B1Ah 0x0000000d pushad 0x0000000e mov eax, 000000FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	RDTSC instruction interceptor: First address: 00000000021CB063 second address: 00000000021CB136 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edx, 9428169Fh 0x00000011 cmp esi, edi 0x00000013 mov edi, dword ptr [ebp+000001BEh] 0x00000019 je 00007F3FF03980A9h 0x0000001f push 3343CA3Bh 0x00000024 jmp 00007F3FF0397956h 0x00000026 test dh, ch 0x00000028 xor dword ptr [esp], 478B418Dh 0x0000002f cmp edx, 82262C5Fh 0x00000035 sub dword ptr [esp], 2EB968E3h 0x0000003c xor dword ptr [esp], 460F22D3h 0x00000043 cmp ebx, ebx 0x00000045 cmp dl, 0000002Ah 0x00000048 test ebx, edx 0x0000004a push 1ACA19CEh 0x0000004f cmp ch, ch 0x00000051 xor dword ptr [esp], A03EEE6Ah 0x00000058 pushad 0x00000059 mov di, 3215h 0x0000005d cmp di, 3215h 0x00000062 jne 00007F3FF0396679h 0x00000068 popad 0x00000069 xor dword ptr [esp], 7AA2B45Eh 0x00000070 sub dword ptr [esp], C05643DEh 0x00000077 test cl, bl 0x00000079 mov dword ptr [ebp+0000023Bh], ecx 0x0000007f mov ecx, edi 0x00000081 push ecx 0x00000082 mov ecx, dword ptr [ebp+0000023Bh] 0x00000088 jmp 00007F3FF039795Ah 0x0000008a test ah, dh 0x0000008c test dh, ah 0x0000008e test eax, eax 0x00000090 mov dword ptr [ebp+00000180h], edx 0x00000096 mov edx, 92B25D48h 0x0000009b cmp bl, al 0x0000009d xor edx, 7EFE344Eh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C7989 rdtsc

1_2_021C7989

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Process Stats: CPU usage > 90% for more than 60s

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C423A Start: 021C4526 End: 021C453A	1_2_021C423A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51 Start: 021C4526 End: 021C453A	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C42A2 Start: 021C4526 End: 021C453A	1_2_021C42A2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2AC6 Start: 021C2BBB End: 021C2BD4	1_2_021C2AC6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A Start: 021C4526 End: 021C453A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C430E Start: 021C4526 End: 021C453A	1_2_021C430E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C473D Start: 021C4526 End: 021C453A	1_2_021C473D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4396 Start: 021C4526 End: 021C453A	1_2_021C4396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7 Start: 021C4526 End: 021C453A	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A Start: 021C4526 End: 021C453A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4480 Start: 021C4526 End: 021C453A	1_2_021C4480
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44DD Start: 021C4526 End: 021C453A	1_2_021C44DD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44FA Start: 021C4526 End: 021C453A	1_2_021C44FA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C293A Start: 021C2BBB End: 021C2BD4	1_2_021C293A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D Start: 021C4526 End: 021C453A	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2928 Start: 021C2BBB End: 021C2BD4	1_2_021C2928
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C298A Start: 021C2BBB End: 021C2BD4	1_2_021C298A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C29F8 Start: 021C2BBB End: 021C2BD4	1_2_021C29F8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C41EA Start: 021C4526 End: 021C453A	1_2_021C41EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2 Start: 021C4526 End: 021C453A	1_2_021C3DE2

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C7989 rdtsc

1_2_021C7989

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2 mov eax, dword ptr fs:[00000030h]	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F mov eax, dword ptr fs:[00000030h]	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E mov eax, dword ptr fs:[00000030h]	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C73B1 mov eax, dword ptr fs:[00000030h]	1_2_021C73B1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4BC8 mov eax, dword ptr fs:[00000030h]	1_2_021C4BC8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C mov eax, dword ptr fs:[00000030h]	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF mov eax, dword ptr fs:[00000030h]	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4 mov eax, dword ptr fs:[00000030h]	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C mov eax, dword ptr fs:[00000030h]	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190 mov eax, dword ptr fs:[00000030h]	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB mov eax, dword ptr fs:[00000030h]	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C9DE5 mov eax, dword ptr fs:[00000030h]	1_2_021C9DE5

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C5A2A cpuid

1_2_021C5A2A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://rossettlee.ddnsgeek.com/x/5bab0b1d864615bab0b1d864b3/2	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: Weemaes B.V.-PO74748392.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "http://rossettlee.ddnsgeek.com/x/5bab0b1d864615bab0b1d864b3/2"}

Multi AV Scanner detection for submitted file

Source: Weemaes B.V.-PO74748392.exe

Virustotal: Detection: 35%

Perma Link

Compliance:

Uses 32bit PE files

Source: Weemaes B.V.-PO74748392.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://rossettlee.ddnsgeek.com/x/5bab0b1d864615bab0b1d864b3/2

Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://s.symcd.com06
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Weemaes B.V.-PO74748392.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7989 NtAllocateVirtualMemory,	1_2_021C7989
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7A86 NtAllocateVirtualMemory,	1_2_021C7A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7AB9 NtAllocateVirtualMemory,	1_2_021C7AB9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B15 NtAllocateVirtualMemory,	1_2_021C7B15
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B5A NtAllocateVirtualMemory,	1_2_021C7B5A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7B9F NtAllocateVirtualMemory,	1_2_021C7B9F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C77FF NtAllocateVirtualMemory,	1_2_021C77FF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C796D NtAllocateVirtualMemory,	1_2_021C796D

Detected potential crypto function

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7989	1_2_021C7989
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CD609	1_2_021CD609
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A0A	1_2_021C6A0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB604	1_2_021CB604
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1202	1_2_021C1202
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E3A	1_2_021C5E3A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6233	1_2_021C6233
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C822D	1_2_021C822D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E51	1_2_021C5E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3652	1_2_021C3652
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6644	1_2_021C6644
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C567C	1_2_021C567C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A7D	1_2_021C5A7D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6672	1_2_021C6672
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1A62	1_2_021C1A62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1292	1_2_021C1292
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A8E	1_2_021C6A8E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A86	1_2_021C5A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6286	1_2_021C6286
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2682	1_2_021C2682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1682	1_2_021C1682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1ABE	1_2_021C1ABE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5EBE	1_2_021C5EBE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CAEB3	1_2_021CAEB3
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0AA6	1_2_021C0AA6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C12D5	1_2_021C12D5
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1ED2	1_2_021C1ED2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5AFA	1_2_021C5AFA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C16F6	1_2_021C16F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C66F6	1_2_021C66F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6AEA	1_2_021C6AEA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C82EA	1_2_021C82EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C370D	1_2_021C370D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0B0E	1_2_021C0B0E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C570E	1_2_021C570E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C130A	1_2_021C130A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C630B	1_2_021C630B
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2302	1_2_021C2302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0302	1_2_021C0302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C033F	1_2_021C033F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F2E	1_2_021C5F2E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8724	1_2_021C8724
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C635A	1_2_021C635A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1355	1_2_021C1355
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5B56	1_2_021C5B56
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8352	1_2_021C8352
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C174E	1_2_021C174E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1B7E	1_2_021C1B7E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C377E	1_2_021C377E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C577E	1_2_021C577E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1376	1_2_021C1376
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C636E	1_2_021C636E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C036F	1_2_021C036F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0B6A	1_2_021C0B6A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0363	1_2_021C0363
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F9A	1_2_021C5F9A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0396	1_2_021C0396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1F96	1_2_021C1F96
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C17BA	1_2_021C17BA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C53A1	1_2_021C53A1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C63DE	1_2_021C63DE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C37D7	1_2_021C37D7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4BC8	1_2_021C4BC8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C77FF	1_2_021C77FF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1FF0	1_2_021C1FF0
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5BE6	1_2_021C5BE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C13E2	1_2_021C13E2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA018	1_2_021CA018
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C800E	1_2_021C800E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0000	1_2_021C0000
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6002	1_2_021C6002
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C043E	1_2_021C043E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C383A	1_2_021C383A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA435	1_2_021CA435
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4C32	1_2_021C4C32
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1828	1_2_021C1828
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0827	1_2_021C0827
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6822	1_2_021C6822
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6056	1_2_021C6056
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C644E	1_2_021C644E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C804F	1_2_021C804F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C204A	1_2_021C204A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C147A	1_2_021C147A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C807A	1_2_021C807A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA86A	1_2_021CA86A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CAC60	1_2_021CAC60
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0492	1_2_021C0492
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6892	1_2_021C6892
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5C83	1_2_021C5C83
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C80AE	1_2_021C80AE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CAA	1_2_021C2CAA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C64A6	1_2_021C64A6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5CDB	1_2_021C5CDB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C18D6	1_2_021C18D6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C34CE	1_2_021C34CE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3CC1	1_2_021C3CC1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C14FE	1_2_021C14FE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CE9	1_2_021C2CE9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4CE4	1_2_021C4CE4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C60E7	1_2_021C60E7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7CE1	1_2_021C7CE1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C811E	1_2_021C811E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2D0F	1_2_021C2D0F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D0A	1_2_021C3D0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C293A	1_2_021C293A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2928	1_2_021C2928
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1D5C	1_2_021C1D5C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1552	1_2_021C1552
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4D48	1_2_021C4D48
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6548	1_2_021C6548
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5145	1_2_021C5145
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CCD46	1_2_021CCD46
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8146	1_2_021C8146
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C597F	1_2_021C597F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA175	1_2_021CA175
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D6C	1_2_021C3D6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C796D	1_2_021C796D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3167	1_2_021C3167
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0D67	1_2_021C0D67
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5D62	1_2_021C5D62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C699E	1_2_021C699E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C119A	1_2_021C119A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8192	1_2_021C8192
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C298A	1_2_021C298A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C9D85	1_2_021C9D85
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C15BA	1_2_021C15BA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65AF	1_2_021C65AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C09AA	1_2_021C09AA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C19A7	1_2_021C19A7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2DDC	1_2_021C2DDC
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65C6	1_2_021C65C6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C29F8	1_2_021C29F8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C19FB	1_2_021C19FB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5DE6	1_2_021C5DE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2	1_2_021C3DE2

PE / OLE file has an invalid certificate

Source: Weemaes B.V.-PO74748392.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: Weemaes B.V.-PO74748392.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Weemaes B.V.-PO74748392.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.756304020.000000000041D000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePROKURAERS.exe vs Weemaes B.V.-PO74748392.exe
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.758261692.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Weemaes B.V.-PO74748392.exe
Source: Weemaes B.V.-PO74748392.exe	Binary or memory string: OriginalFilenamePROKURAERS.exe vs Weemaes B.V.-PO74748392.exe

Uses 32bit PE files

Source: Weemaes B.V.-PO74748392.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF5CD84833B4F133BE.TMP

Jump to behavior

Source: Weemaes B.V.-PO74748392.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Weemaes B.V.-PO74748392.exe

Virustotal: Detection: 35%

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000001.00000002.758678567.00000000021C0000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_004079B4 push edi; retf	1_2_004079C2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4442 push edx; ret	1_2_021C4443
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4469 push edx; ret	1_2_021C446A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C24A2 push F7664D43h; ret	1_2_021C24A7

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CD609	1_2_021CD609
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A0A	1_2_021C6A0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C423A	1_2_021C423A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E3A	1_2_021C5E3A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6233	1_2_021C6233
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5E51	1_2_021C5E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6644	1_2_021C6644
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C567C	1_2_021C567C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A7D	1_2_021C5A7D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6672	1_2_021C6672
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6A8E	1_2_021C6A8E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5A86	1_2_021C5A86
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6286	1_2_021C6286
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2682	1_2_021C2682
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5EBE	1_2_021C5EBE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C42A2	1_2_021C42A2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5AFA	1_2_021C5AFA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C66F6	1_2_021C66F6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6AEA	1_2_021C6AEA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C231C	1_2_021C231C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C430E	1_2_021C430E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C630B	1_2_021C630B
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2302	1_2_021C2302
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C473D	1_2_021C473D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F2E	1_2_021C5F2E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C8724	1_2_021C8724
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C635A	1_2_021C635A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5B56	1_2_021C5B56
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C476E	1_2_021C476E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C636E	1_2_021C636E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5F9A	1_2_021C5F9A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4396	1_2_021C4396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C47BE	1_2_021C47BE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C47AD	1_2_021C47AD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C53A1	1_2_021C53A1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C63DE	1_2_021C63DE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5BE6	1_2_021C5BE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA018	1_2_021CA018
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4816	1_2_021C4816
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C800E	1_2_021C800E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6C0E	1_2_021C6C0E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6002	1_2_021C6002
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA435	1_2_021CA435
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6822	1_2_021C6822
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6C5E	1_2_021C6C5E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6056	1_2_021C6056
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C644E	1_2_021C644E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C804F	1_2_021C804F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C487E	1_2_021C487E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C807A	1_2_021C807A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6892	1_2_021C6892
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4480	1_2_021C4480
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7081	1_2_021C7081
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5C83	1_2_021C5C83
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C80AE	1_2_021C80AE
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C64A6	1_2_021C64A6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44DD	1_2_021C44DD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C48DA	1_2_021C48DA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5CDB	1_2_021C5CDB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6CD6	1_2_021C6CD6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3CC1	1_2_021C3CC1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44FA	1_2_021C44FA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2CE9	1_2_021C2CE9
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C60E7	1_2_021C60E7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C7CE1	1_2_021C7CE1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D0A	1_2_021C3D0A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C6548	1_2_021C6548
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C597F	1_2_021C597F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA175	1_2_021CA175
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3D6C	1_2_021C3D6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C0D67	1_2_021C0D67
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5D62	1_2_021C5D62
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C699E	1_2_021C699E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65AF	1_2_021C65AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C25D8	1_2_021C25D8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C65C6	1_2_021C65C6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C41EA	1_2_021C41EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C5DE6	1_2_021C5DE6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2	1_2_021C3DE2

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	RDTSC instruction interceptor: First address: 00000000021C0135 second address: 00000000021C0160 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F3FF0A97B1Ah 0x0000000d pushad 0x0000000e mov eax, 000000FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	RDTSC instruction interceptor: First address: 00000000021CB063 second address: 00000000021CB136 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test edx, 9428169Fh 0x00000011 cmp esi, edi 0x00000013 mov edi, dword ptr [ebp+000001BEh] 0x00000019 je 00007F3FF03980A9h 0x0000001f push 3343CA3Bh 0x00000024 jmp 00007F3FF0397956h 0x00000026 test dh, ch 0x00000028 xor dword ptr [esp], 478B418Dh 0x0000002f cmp edx, 82262C5Fh 0x00000035 sub dword ptr [esp], 2EB968E3h 0x0000003c xor dword ptr [esp], 460F22D3h 0x00000043 cmp ebx, ebx 0x00000045 cmp dl, 0000002Ah 0x00000048 test ebx, edx 0x0000004a push 1ACA19CEh 0x0000004f cmp ch, ch 0x00000051 xor dword ptr [esp], A03EEE6Ah 0x00000058 pushad 0x00000059 mov di, 3215h 0x0000005d cmp di, 3215h 0x00000062 jne 00007F3FF0396679h 0x00000068 popad 0x00000069 xor dword ptr [esp], 7AA2B45Eh 0x00000070 sub dword ptr [esp], C05643DEh 0x00000077 test cl, bl 0x00000079 mov dword ptr [ebp+0000023Bh], ecx 0x0000007f mov ecx, edi 0x00000081 push ecx 0x00000082 mov ecx, dword ptr [ebp+0000023Bh] 0x00000088 jmp 00007F3FF039795Ah 0x0000008a test ah, dh 0x0000008c test dh, ah 0x0000008e test eax, eax 0x00000090 mov dword ptr [ebp+00000180h], edx 0x00000096 mov edx, 92B25D48h 0x0000009b cmp bl, al 0x0000009d xor edx, 7EFE344Eh 0x000000a3 pushad 0x000000a4 lfence 0x000000a7 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C7989 rdtsc

1_2_021C7989

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Process Stats: CPU usage > 90% for more than 60s

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C423A Start: 021C4526 End: 021C453A	1_2_021C423A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3E51 Start: 021C4526 End: 021C453A	1_2_021C3E51
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C42A2 Start: 021C4526 End: 021C453A	1_2_021C42A2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2AC6 Start: 021C2BBB End: 021C2BD4	1_2_021C2AC6
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3F1A Start: 021C4526 End: 021C453A	1_2_021C3F1A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C430E Start: 021C4526 End: 021C453A	1_2_021C430E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C473D Start: 021C4526 End: 021C453A	1_2_021C473D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4396 Start: 021C4526 End: 021C453A	1_2_021C4396
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3FF7 Start: 021C4526 End: 021C453A	1_2_021C3FF7
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C404A Start: 021C4526 End: 021C453A	1_2_021C404A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4480 Start: 021C4526 End: 021C453A	1_2_021C4480
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44DD Start: 021C4526 End: 021C453A	1_2_021C44DD
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C44FA Start: 021C4526 End: 021C453A	1_2_021C44FA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C293A Start: 021C2BBB End: 021C2BD4	1_2_021C293A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C412D Start: 021C4526 End: 021C453A	1_2_021C412D
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C2928 Start: 021C2BBB End: 021C2BD4	1_2_021C2928
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C298A Start: 021C2BBB End: 021C2BD4	1_2_021C298A
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C29F8 Start: 021C2BBB End: 021C2BD4	1_2_021C29F8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C41EA Start: 021C4526 End: 021C453A	1_2_021C41EA
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3DE2 Start: 021C4526 End: 021C453A	1_2_021C3DE2

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C7989 rdtsc

1_2_021C7989

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4AA2 mov eax, dword ptr fs:[00000030h]	1_2_021C4AA2
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B1F mov eax, dword ptr fs:[00000030h]	1_2_021C4B1F
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4B4E mov eax, dword ptr fs:[00000030h]	1_2_021C4B4E
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C73B1 mov eax, dword ptr fs:[00000030h]	1_2_021C73B1
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C4BC8 mov eax, dword ptr fs:[00000030h]	1_2_021C4BC8
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C3C6C mov eax, dword ptr fs:[00000030h]	1_2_021C3C6C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C10AF mov eax, dword ptr fs:[00000030h]	1_2_021C10AF
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB8C4 mov eax, dword ptr fs:[00000030h]	1_2_021CB8C4
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CB51C mov eax, dword ptr fs:[00000030h]	1_2_021CB51C
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C1190 mov eax, dword ptr fs:[00000030h]	1_2_021C1190
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021CA5EB mov eax, dword ptr fs:[00000030h]	1_2_021CA5EB
Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe	Code function: 1_2_021C9DE5 mov eax, dword ptr fs:[00000030h]	1_2_021C9DE5

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Weemaes B.V.-PO74748392.exe, 00000001.00000002.757825907.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Code function: 1_2_021C5A2A cpuid

1_2_021C5A2A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Weemaes B.V.-PO74748392.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

ID:	458358
Product:	CloudBasic
Start time:	09:42:13
Start date:	03.08.2021
Sample:	Weemaes B.V.-PO74748392.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	a08f23a15ef10b17370668cf5b9947ad
SHA1:	7cc53628714dd9d69881be1d186adf7b3e7af9cd
SHA256:	cc8e7690934b9059a1613d246a6c933df5dd7b1e333038dc76f7839dcc5697cd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report Weemaes B.V.-PO74748392.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted URLs